scram.h File Reference

#include "lib/stringinfo.h"
#include "libpq/libpq-be.h"

Include dependency graph for scram.h:

This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Macros
#define	SASL_EXCHANGE_CONTINUE   0
#define	SASL_EXCHANGE_SUCCESS   1
#define	SASL_EXCHANGE_FAILURE   2

Functions
void	pg_be_scram_get_mechanisms (Port *port, StringInfo buf)
void *	pg_be_scram_init (Port *port, const char *selected_mech, const char *shadow_pass)
int	pg_be_scram_exchange (void *opaq, const char *input, int inputlen, char **output, int *outputlen, char **logdetail)
char *	pg_be_scram_build_secret (const char *password)
bool	parse_scram_secret (const char *secret, int *iterations, char **salt, uint8 *stored_key, uint8 *server_key)
bool	scram_verify_plain_password (const char *username, const char *password, const char *secret)

Macro Definition Documentation

SASL_EXCHANGE_CONTINUE

#define SASL_EXCHANGE_CONTINUE   0

Definition at line 20 of file scram.h.

Referenced by CheckSCRAMAuth(), and pg_be_scram_exchange().

SASL_EXCHANGE_FAILURE

#define SASL_EXCHANGE_FAILURE   2

Definition at line 22 of file scram.h.

Referenced by pg_be_scram_exchange().

SASL_EXCHANGE_SUCCESS

#define SASL_EXCHANGE_SUCCESS   1

Definition at line 21 of file scram.h.

Referenced by CheckSCRAMAuth(), and pg_be_scram_exchange().

Function Documentation

parse_scram_secret()

bool parse_scram_secret	(	const char *	secret,
		int *	iterations,
		char **	salt,
		uint8 *	stored_key,
		uint8 *	server_key
	)

Definition at line 560 of file auth-scram.c.

References palloc(), pg_b64_dec_len(), pg_b64_decode(), pstrdup(), and SCRAM_KEY_LEN.

Referenced by get_password_type(), pg_be_scram_init(), and scram_verify_plain_password().

{
    char       *v;
    char       *p;
    char       *scheme_str;
    char       *salt_str;
    char       *iterations_str;
    char       *storedkey_str;
    char       *serverkey_str;
    int         decoded_len;
    char       *decoded_salt_buf;
    char       *decoded_stored_buf;
    char       *decoded_server_buf;

    /*
     * The secret is of form:
     *
     * SCRAM-SHA-256$<iterations>:<salt>$<storedkey>:<serverkey>
     */
    v = pstrdup(secret);
    if ((scheme_str = strtok(v, "$")) == NULL)
        goto invalid_secret;
    if ((iterations_str = strtok(NULL, ":")) == NULL)
        goto invalid_secret;
    if ((salt_str = strtok(NULL, "$")) == NULL)
        goto invalid_secret;
    if ((storedkey_str = strtok(NULL, ":")) == NULL)
        goto invalid_secret;
    if ((serverkey_str = strtok(NULL, "")) == NULL)
        goto invalid_secret;

    /* Parse the fields */
    if (strcmp(scheme_str, "SCRAM-SHA-256") != 0)
        goto invalid_secret;

    errno = 0;
    *iterations = strtol(iterations_str, &p, 10);
    if (*p || errno != 0)
        goto invalid_secret;

    /*
     * Verify that the salt is in Base64-encoded format, by decoding it,
     * although we return the encoded version to the caller.
     */
    decoded_len = pg_b64_dec_len(strlen(salt_str));
    decoded_salt_buf = palloc(decoded_len);
    decoded_len = pg_b64_decode(salt_str, strlen(salt_str),
                                decoded_salt_buf, decoded_len);
    if (decoded_len < 0)
        goto invalid_secret;
    *salt = pstrdup(salt_str);

    /*
     * Decode StoredKey and ServerKey.
     */
    decoded_len = pg_b64_dec_len(strlen(storedkey_str));
    decoded_stored_buf = palloc(decoded_len);
    decoded_len = pg_b64_decode(storedkey_str, strlen(storedkey_str),
                                decoded_stored_buf, decoded_len);
    if (decoded_len != SCRAM_KEY_LEN)
        goto invalid_secret;
    memcpy(stored_key, decoded_stored_buf, SCRAM_KEY_LEN);

    decoded_len = pg_b64_dec_len(strlen(serverkey_str));
    decoded_server_buf = palloc(decoded_len);
    decoded_len = pg_b64_decode(serverkey_str, strlen(serverkey_str),
                                decoded_server_buf, decoded_len);
    if (decoded_len != SCRAM_KEY_LEN)
        goto invalid_secret;
    memcpy(server_key, decoded_server_buf, SCRAM_KEY_LEN);

    return true;

invalid_secret:
    *salt = NULL;
    return false;
}

pg_be_scram_build_secret()

char* pg_be_scram_build_secret

(

const char *

password

)

Definition at line 451 of file auth-scram.c.

References ereport, errcode(), errmsg(), ERROR, pfree(), pg_saslprep(), pg_strong_random(), SASLPREP_SUCCESS, scram_build_secret(), SCRAM_DEFAULT_ITERATIONS, and SCRAM_DEFAULT_SALT_LEN.

Referenced by encrypt_password().

{
    char       *prep_password;
    pg_saslprep_rc rc;
    char        saltbuf[SCRAM_DEFAULT_SALT_LEN];
    char       *result;

    /*
     * Normalize the password with SASLprep.  If that doesn't work, because
     * the password isn't valid UTF-8 or contains prohibited characters, just
     * proceed with the original password.  (See comments at top of file.)
     */
    rc = pg_saslprep(password, &prep_password);
    if (rc == SASLPREP_SUCCESS)
        password = (const char *) prep_password;

    /* Generate random salt */
    if (!pg_strong_random(saltbuf, SCRAM_DEFAULT_SALT_LEN))
        ereport(ERROR,
                (errcode(ERRCODE_INTERNAL_ERROR),
                 errmsg("could not generate random salt")));

    result = scram_build_secret(saltbuf, SCRAM_DEFAULT_SALT_LEN,
                                SCRAM_DEFAULT_ITERATIONS, password);

    if (prep_password)
        pfree(prep_password);

    return result;
}

pg_be_scram_exchange()

int pg_be_scram_exchange	(	void *	opaq,
		const char *	input,
		int	inputlen,
		char **	output,
		int *	outputlen,
		char **	logdetail
	)

Definition at line 328 of file auth-scram.c.

References Assert, build_server_final_message(), build_server_first_message(), scram_state::doomed, elog, ereport, errcode(), errdetail(), errmsg(), ERROR, scram_state::logdetail, pstrdup(), read_client_final_message(), read_client_first_message(), SASL_EXCHANGE_CONTINUE, SASL_EXCHANGE_FAILURE, SASL_EXCHANGE_SUCCESS, SCRAM_AUTH_FINISHED, SCRAM_AUTH_INIT, SCRAM_AUTH_SALT_SENT, scram_state::state, verify_client_proof(), and verify_final_nonce().

Referenced by CheckSCRAMAuth().

{
    scram_state *state = (scram_state *) opaq;
    int         result;

    *output = NULL;

    /*
     * If the client didn't include an "Initial Client Response" in the
     * SASLInitialResponse message, send an empty challenge, to which the
     * client will respond with the same data that usually comes in the
     * Initial Client Response.
     */
    if (input == NULL)
    {
        Assert(state->state == SCRAM_AUTH_INIT);

        *output = pstrdup("");
        *outputlen = 0;
        return SASL_EXCHANGE_CONTINUE;
    }

    /*
     * Check that the input length agrees with the string length of the input.
     * We can ignore inputlen after this.
     */
    if (inputlen == 0)
        ereport(ERROR,
                (errcode(ERRCODE_PROTOCOL_VIOLATION),
                 errmsg("malformed SCRAM message"),
                 errdetail("The message is empty.")));
    if (inputlen != strlen(input))
        ereport(ERROR,
                (errcode(ERRCODE_PROTOCOL_VIOLATION),
                 errmsg("malformed SCRAM message"),
                 errdetail("Message length does not match input length.")));

    switch (state->state)
    {
        case SCRAM_AUTH_INIT:

            /*
             * Initialization phase.  Receive the first message from client
             * and be sure that it parsed correctly.  Then send the challenge
             * to the client.
             */
            read_client_first_message(state, input);

            /* prepare message to send challenge */
            *output = build_server_first_message(state);

            state->state = SCRAM_AUTH_SALT_SENT;
            result = SASL_EXCHANGE_CONTINUE;
            break;

        case SCRAM_AUTH_SALT_SENT:

            /*
             * Final phase for the server.  Receive the response to the
             * challenge previously sent, verify, and let the client know that
             * everything went well (or not).
             */
            read_client_final_message(state, input);

            if (!verify_final_nonce(state))
                ereport(ERROR,
                        (errcode(ERRCODE_PROTOCOL_VIOLATION),
                         errmsg("invalid SCRAM response"),
                         errdetail("Nonce does not match.")));

            /*
             * Now check the final nonce and the client proof.
             *
             * If we performed a "mock" authentication that we knew would fail
             * from the get go, this is where we fail.
             *
             * The SCRAM specification includes an error code,
             * "invalid-proof", for authentication failure, but it also allows
             * erroring out in an application-specific way.  We choose to do
             * the latter, so that the error message for invalid password is
             * the same for all authentication methods.  The caller will call
             * ereport(), when we return SASL_EXCHANGE_FAILURE with no output.
             *
             * NB: the order of these checks is intentional.  We calculate the
             * client proof even in a mock authentication, even though it's
             * bound to fail, to thwart timing attacks to determine if a role
             * with the given name exists or not.
             */
            if (!verify_client_proof(state) || state->doomed)
            {
                result = SASL_EXCHANGE_FAILURE;
                break;
            }

            /* Build final message for client */
            *output = build_server_final_message(state);

            /* Success! */
            result = SASL_EXCHANGE_SUCCESS;
            state->state = SCRAM_AUTH_FINISHED;
            break;

        default:
            elog(ERROR, "invalid SCRAM exchange state");
            result = SASL_EXCHANGE_FAILURE;
    }

    if (result == SASL_EXCHANGE_FAILURE && state->logdetail && logdetail)
        *logdetail = state->logdetail;

    if (*output)
        *outputlen = strlen(*output);

    return result;
}

pg_be_scram_get_mechanisms()

void pg_be_scram_get_mechanisms	(	Port *	port,
		StringInfo	buf
	)

Definition at line 181 of file auth-scram.c.

References appendStringInfoChar(), appendStringInfoString(), SCRAM_SHA_256_NAME, SCRAM_SHA_256_PLUS_NAME, and Port::ssl_in_use.

Referenced by CheckSCRAMAuth().

{
    /*
     * Advertise the mechanisms in decreasing order of importance.  So the
     * channel-binding variants go first, if they are supported.  Channel
     * binding is only supported with SSL, and only if the SSL implementation
     * has a function to get the certificate's hash.
     */
#ifdef HAVE_BE_TLS_GET_CERTIFICATE_HASH
    if (port->ssl_in_use)
    {
        appendStringInfoString(buf, SCRAM_SHA_256_PLUS_NAME);
        appendStringInfoChar(buf, '\0');
    }
#endif
    appendStringInfoString(buf, SCRAM_SHA_256_NAME);
    appendStringInfoChar(buf, '\0');
}

pg_be_scram_init()

void* pg_be_scram_init	(	Port *	port,
		const char *	selected_mech,
		const char *	shadow_pass
	)

Definition at line 218 of file auth-scram.c.

References _, scram_state::channel_binding_in_use, scram_state::doomed, ereport, errcode(), errmsg(), ERROR, get_password_type(), scram_state::iterations, LOG, scram_state::logdetail, mock_scram_secret(), palloc0(), parse_scram_secret(), PASSWORD_TYPE_SCRAM_SHA_256, port, scram_state::port, psprintf(), scram_state::salt, SCRAM_AUTH_INIT, SCRAM_SHA_256_NAME, SCRAM_SHA_256_PLUS_NAME, scram_state::ServerKey, Port::ssl_in_use, scram_state::state, scram_state::StoredKey, and Port::user_name.

Referenced by CheckSCRAMAuth().

{
    scram_state *state;
    bool        got_secret;

    state = (scram_state *) palloc0(sizeof(scram_state));
    state->port = port;
    state->state = SCRAM_AUTH_INIT;

    /*
     * Parse the selected mechanism.
     *
     * Note that if we don't support channel binding, either because the SSL
     * implementation doesn't support it or we're not using SSL at all, we
     * would not have advertised the PLUS variant in the first place.  If the
     * client nevertheless tries to select it, it's a protocol violation like
     * selecting any other SASL mechanism we don't support.
     */
#ifdef HAVE_BE_TLS_GET_CERTIFICATE_HASH
    if (strcmp(selected_mech, SCRAM_SHA_256_PLUS_NAME) == 0 && port->ssl_in_use)
        state->channel_binding_in_use = true;
    else
#endif
    if (strcmp(selected_mech, SCRAM_SHA_256_NAME) == 0)
        state->channel_binding_in_use = false;
    else
        ereport(ERROR,
                (errcode(ERRCODE_PROTOCOL_VIOLATION),
                 errmsg("client selected an invalid SASL authentication mechanism")));

    /*
     * Parse the stored secret.
     */
    if (shadow_pass)
    {
        int         password_type = get_password_type(shadow_pass);

        if (password_type == PASSWORD_TYPE_SCRAM_SHA_256)
        {
            if (parse_scram_secret(shadow_pass, &state->iterations, &state->salt,
                                   state->StoredKey, state->ServerKey))
                got_secret = true;
            else
            {
                /*
                 * The password looked like a SCRAM secret, but could not be
                 * parsed.
                 */
                ereport(LOG,
                        (errmsg("invalid SCRAM secret for user \"%s\"",
                                state->port->user_name)));
                got_secret = false;
            }
        }
        else
        {
            /*
             * The user doesn't have SCRAM secret. (You cannot do SCRAM
             * authentication with an MD5 hash.)
             */
            state->logdetail = psprintf(_("User \"%s\" does not have a valid SCRAM secret."),
                                        state->port->user_name);
            got_secret = false;
        }
    }
    else
    {
        /*
         * The caller requested us to perform a dummy authentication.  This is
         * considered normal, since the caller requested it, so don't set log
         * detail.
         */
        got_secret = false;
    }

    /*
     * If the user did not have a valid SCRAM secret, we still go through the
     * motions with a mock one, and fail as if the client supplied an
     * incorrect password.  This is to avoid revealing information to an
     * attacker.
     */
    if (!got_secret)
    {
        mock_scram_secret(state->port->user_name, &state->iterations,
                          &state->salt, state->StoredKey, state->ServerKey);
        state->doomed = true;
    }

    return state;
}

scram_verify_plain_password()

bool scram_verify_plain_password	(	const char *	username,
		const char *	password,
		const char *	secret
	)

Definition at line 488 of file auth-scram.c.

References elog, ereport, errmsg(), ERROR, LOG, palloc(), parse_scram_secret(), pfree(), pg_b64_dec_len(), pg_b64_decode(), pg_saslprep(), SASLPREP_SUCCESS, SCRAM_KEY_LEN, scram_SaltedPassword(), and scram_ServerKey().

Referenced by plain_crypt_verify().

{
    char       *encoded_salt;
    char       *salt;
    int         saltlen;
    int         iterations;
    uint8       salted_password[SCRAM_KEY_LEN];
    uint8       stored_key[SCRAM_KEY_LEN];
    uint8       server_key[SCRAM_KEY_LEN];
    uint8       computed_key[SCRAM_KEY_LEN];
    char       *prep_password;
    pg_saslprep_rc rc;

    if (!parse_scram_secret(secret, &iterations, &encoded_salt,
                            stored_key, server_key))
    {
        /*
         * The password looked like a SCRAM secret, but could not be parsed.
         */
        ereport(LOG,
                (errmsg("invalid SCRAM secret for user \"%s\"", username)));
        return false;
    }

    saltlen = pg_b64_dec_len(strlen(encoded_salt));
    salt = palloc(saltlen);
    saltlen = pg_b64_decode(encoded_salt, strlen(encoded_salt), salt,
                            saltlen);
    if (saltlen < 0)
    {
        ereport(LOG,
                (errmsg("invalid SCRAM secret for user \"%s\"", username)));
        return false;
    }

    /* Normalize the password */
    rc = pg_saslprep(password, &prep_password);
    if (rc == SASLPREP_SUCCESS)
        password = prep_password;

    /* Compute Server Key based on the user-supplied plaintext password */
    if (scram_SaltedPassword(password, salt, saltlen, iterations,
                             salted_password) < 0 ||
        scram_ServerKey(salted_password, computed_key) < 0)
    {
        elog(ERROR, "could not compute server key");
    }

    if (prep_password)
        pfree(prep_password);

    /*
     * Compare the secret's Server Key with the one computed from the
     * user-supplied password.
     */
    return memcmp(computed_key, server_key, SCRAM_KEY_LEN) == 0;
}